Facebook Joins Google, Mozilla, Barracuda in Paying Bug Bounties

Facebook has joined the handful of companies who pay bug bounties to researchers who discover vulnerabilities.

Most Website flaws, such as cross-site scripting, cross-site request forgery and remote code injection, would net the discoverer $500, Facebook said July 29. The company said it will pay more for serious issues but declined to specify the maximum amount. The catch is that researchers must privately report the issues to the social networking giant instead of publicizing it.

Facebook will not pay out for security bugs discovered in third-party applications or Websites that integrate with the social network. Denial-of-service vulnerabilities, spam or social engineering techniques and security flaws in Facebook's corporate infrastructure will not qualify under the program.

"That's a pity," Paul Ducklin, head of technology for the Asia Pacific group at Sophos, wrote on the NakedSecurity blog, noting that a majority of the security issues on Facebook are usually from third-party applications.

While Facebook has no actual control over third-party applications, they carry "an implicit endorsement" because of the way they are integrated on the social networking site, Ducklin said. Facebook also doesn't have a "decent application vetting process" to weed out scams, he said.

Researchers should "make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research," Facebook wrote in a post on the White Hat hacking portal.

Overall, the announcement was welcomed by various researchers who spend time finding and reporting serious issues on various Websites and software. There are only few software companies, notably Google, Mozilla, Barracuda Networks and HP TippingPoint, who offer cash rewards for reporting new vulnerabilities. Metasploit launched a similar program to discover new working exploits this past June.

Security researchers don't have a lot of choices when it comes to reporting security issues, Charlie Miller, a security researcher with Accuvant, told eWEEK in an earlier interview. Researchers can choose to report the vulnerability to the company "and get recognized on a Website," or sell the secret on the black market "and get a lot of money," Miller said.

"We shouldn't be putting people in that position in the first place," Miller said. Companies should give researchers an incentive that's worth making the effort to find zero-day vulnerabilities, he said.

Mozilla pays as much as $3,000 and Google $3,133.70 for the most serious bugs. While HP TippingPoint does not publicly disclose the amounts it pays researchers, there are reports that "Platinum" bounty hunters can get as much as $20,000 for a single vulnerability.

Mozilla has paid out about $40,000 per year since the inception of the program. Google has already paid over $90,000 so far this year for vulnerabilities found in its online services and in Google's Chrome Web browser.

"Facebook (and others) should set up test environments for researchers to mess with risk free," Miller wrote on Twitter shortly after the Facebook announcement.

Bug bounty programs encourage hackers to keep quiet about the problems they find until the company has had a chance to fix the issues. If a vulnerability is publicized, the users on that service or software are left unprotected while the company scrambles to find a fix.

Miller did not weigh in on whether researchers should publicize their findings as soon as they are discovered (full disclosure) or wait till it has been patched, saying that was up to the individual researcher. What is more important is setting "up a system where the things they want to do helps everyone," Miller said.

To qualify for the bounty, the person reporting the bug has to be the first one to privately notify Facebook of the flaw and live in a country "not under any current United States sanctions," such as North Korea, Cuba and Libya. The researcher also has to give the Facebook security team "a reasonable time" to address the problem before publicizing the issues.

Most companies, such as Microsoft and Oracle, refuse to pay for bug reports, although they usually credit the discoverer publicly when releasing updates and patches. Microsoft at least has said it will not sue or press charges against hackers who find security flaws in its online services and report it responsibly.

However, Miller and other researchers took exception to a similar pledge buried in the Responsible Disclosure Policy, which stated that as long as the researcher followed the rules, Facebook "will not bring any lawsuit against you or ask law enforcement to investigate you."

"If THEY decide researcher isn't reasonable they can get you arrested. No power for researcher. Sucky," Miller wrote on Twitter.

While Facebook is "entitled" to sue anyone violating the site's terms and conditions or call in law enforcement in case of a crime, there was no need to reiterate that sentiment when claiming it wants "to show our appreciation for our security researchers," Ducklin said.

"Please don't write what sounds eerily close to a threat to the very security researchers you want to get working on your behalf!" Ducklin wrote.